7 tools that have influenced the reversing community

May 19, 2016

TL;DR: Reverse engineering has been used by the military, big companies and many more. It is the act of taking something (computer, device, weapon, software) and “stripping” it to learn or analyze its inner working in detail. Compaq, one of IBM’s major competitors, did this in the early 1980s, using the reverse engineering process to dissect the IBM PC and build their own product. In this blog post, we list 7 tools for reverse engineering on the Microsoft Windows platform that have influenced the reversing community the most.

The tools highlighted are DRM (Digital Rights Management) tools, made for copyright protection in the videogame industry. DRMs are particularly interesting because major strides in copy protection are being made by companies who have game developers as their clients. Game development is increasingly focused on online gaming as many recently released games require an online connection to access multiplayer features or even to start playing.

Denuvo anti-tamper

Background:

Developed by Sony DADC, Denuvo is the spiritual successor to the widely used SecuROM copy protection. The initial release was in 2014 and it wasn’t long before piracy groups were able to bypass the protection. However, the Denuvo developers patched the loopholes that the early iterations had and the protection remains uncracked to this day.

Why:

Several of the biggest game developers have expressed their concerns on releasing games for the Microsoft Windows platform due to high piracy levels. The Denuvo DRM has been used in several AAA-games and has shown that it is able to handle piracy. Could this perhaps be the answer to game developers concerns?

Pros

Offers excellent protection against piracy

Cons

Price

Valve Steamworks

Background:

Developed by Valve Corporation, Steam is a platform for games and other software. Released in 2003, the service really took off with the release of Half-Life 2 in 2004.

Why:

As gamers have noticed, the days of using a CD or DVD to install and play games are over. With platforms such as Valve’s Steamworks, more games are being bought digitally. A major reason for games being available as digital purchases only is piracy – when games are shipped on discs there was always a risk of leakage. When a game is only available as a digital copy, game developers are in full control as they can set a date the game can be played, which effectively eliminates all leaks.

Pros:

Cons:

Always-Online

Background:

This form of protection is solely dependent on the game type and the route that the developers take, as some games are developed with online play in mind and others are not.

Why:

Some copy protections have given legitimate buyers a headache – in some cases these users were unable to play the game because the copy protection was so intrusive. Publishers then decided not to ship the game with protection, but instead sync game data with a server and make the game unplayable in case of connection loss.

Pros:

In some cases, a better user experience

Offers excellent protection against piracy

Cons:

No offline mode, unusable without internet connection

Tools used for reversing

x64dbg

Background:

Developed actively by several groups of people who thought that the existing tools for x64 debugging were lackluster. Released in 2013.

Why:

With the increased popularity of the x64 platform, the need to be able to debug and reverse x64 binaries grew. Popular software is not usable because it either lacks support or is outdated, hence the need for new tools arises. x64dbg tries to solve this problem and supports the same plugins as several other popular tools and the developers even released an SDK to help with plugin development. x64dbg is built on the same principles that OllyDbg and WinDbg was.

Pros:

Open source

X64-oriented

Cons:

Early stages of development

IDA Pro

Background:

Released in the mid 1990’s, this is a holy grail compared to other tools. Developed actively by Ilfak Guilfanov, who is the main developer at Hex-Rays, IDA Pro is one of the best, if not the best disassembler available on the market. It is a debugger and a disassembler that is so popular and advanced there are many papers focusing on specific areas of the capabilities available to the user.

Why:

Used by some of the biggest companies, the amount of things that can be reversed when using this software is unparalleled. ESET Labs, for example, use IDA Pro when they reverse engineer malware for their AV software. The software is really mature, it is considered very stable and has no major flaw. It is the tool that many want be, but few actually are. Hex-Ray also offers an SDK to paying customers that they can use to develop extensions using the Python language. They also offer an older version for free, however, newer features are missing in that version.

Pros:

Support for a massive amount of platforms

Great support from the developers and their forums

Great documentation available

Cons:

OllyDbg

Background:

Released around 2000 by Oleh Yuschuk, OllyDbg is primarily a 32-bit debugger, but the author is working on 64-bit support. Released as freeware in a time when competitors products were really expensive, it quickly gained users. The author saw this and decided to release a plugin development kit, which sparked the development of plugins. To this date, there are various scripts and plugins available to manage and automate the reversing process. Some plugins even go as far as to completely remove the copy protection they were designed for.

Why:

Often described by reversers as the door to the world of reversing. This very popular tool has seen its share of forks, being very simple to use along with good features made OllyDbg rise to the top. At the time of release its only competitors were SoftICE and IDA Pro, both considered vastly harder to use.

Pros:

Freeware

Tutorials, plugins, extensions

Cons:

Slow or stale development

Struggles with .NET

No x64 support

Radare2

Background:

Released 2006, it is similar to IDA Pro in that it supports a lot of platforms. This tool has a thriving community.

Why:

Radare2 is similar to IDA Pro, but the big difference is that Radare2 is open source while IDA Pro is proprietary. Radare2 is built around the same principle as IDA Pro, delivering great support and documentation as well supporting tons of different platforms, from Linux ELIF to ARM. It is even possible to run Radare2 from mobile devices such as the iPhone or devices running Google’s Android. R2, as it is known in the community, is considered to be a real competitor and is talked about in various expos where the focus is on reverse engineering.